It seems like we hear about SQL injection attacks more often these days, at least I do :)  This past week I was contacted twice regarding SQL injection attacks and victims were seeking for help on how to get rid of attackers changing database tables or stealing sensitive information.  Then I stumbled upon this article (Hacker Hits British Navy Website with SQL Injection Attack):

A HACKER EXPLOITED A SQL INJECTION VULNERABILITY ON THE ROYAL NAVY WEBSITE TO STEAL ADMINISTRATOR PASSWORDS AND USERNAMES.

Big target indeed, and I've witnessed relatively small to medium sized targets this past week; with pretty much the same story.  Attacker exploits an injection, either steals sensitive data or changes some values in the database tables to deface the site and perhaps inject trojans/malicious links.  What should we do then?

1) Perform a security assessment on the site yesterday! - prior to deploying on the public Internet.

2) If step #1 is not performed, schedule one soon :)  Depending on the importance of data and expected targeted attacks, one may choose to go with an automated scan instead of a full blown pentest to save on $$$ and time, while accepting the risks and great number of false-positives that comes with automated scans.

3) Identify the vulnerable form/URL -- When it is a bit late, try to figure out where the attack is taking place.  It may be possible to identify the vulnerable form by simply going through the web/app server logs and detecting unusual activity (injection attacks involving %27 or ' characters etc.)

4) Once found, perform data validation on form fields.  My recommendation would be to whitelist or perhaps sanitize input with a whitelist, depending on your requirements (see link for nice details from OWASP).  If you can not find the vulnerable form/URL, you'll need to ask an expert to find the holes in your app, then perform data validation.

Hope this helps to get started at the very least.  I know that this entry is pretty generic and needs a lot more details...

I think when a vendor focuses on a specific product and technology, it creates real value.  Arcsight has been the pioneer for SIEM line of products, initially focusing purely on security event management and did a very good job (though a bit on $$$ side).  They then eventually expanded into incident management and log management areas and probably lost some market share while losing some focus.  Check out the recent news: HP to acquire Arcsight -- my feeling is that with such an acquisition the product will lose its edge on creativity and innovation side since the team will have to spend more time integrating the product into the rest of the HP family.  Perhaps it may be the end of such innovation on SIEM side, I don't know; all I know is that these are business decisions that helps the security market grow, and yet a side of me feels a bit sad to see such focused vendors become part of bigger fish.

Quantum cryptography, based on Heisenberg's uncertainty principle, is supposedly a bulled-proof solution against eaves-dropping.  However, as it is the case with mathematical encryption solutions, it is not the math or quantum physics, it is the implementation that causes issues.

"Computer scientists have pulled off what is claimed to be the first successful attack against a commercial system based on theoretically uncrackable quantum cryptography."

In a world without communication errors, this is supposed to work but guess what, we are not in a perfect world :)

"In practice, however, it is not possible to completely eliminate errors in electronic communications because of factors such as noise and signal degradation. So practical systems accept key exchanges where the error rate is less than 20 per cent."

Here's the article

It's been a while since my last entry.  I can come up with many excuses for my laziness such as on going projects, developing our framework for the services we provide, carrying this blog application on top of that framework, creating support application for our clients, updating and upgrading alert service, etc.  In any case, we are back again and hope you enjoy this blog with up and coming content...

Recent exploit published for IIS 5.0/6.0 shows that even when you think you fixed/patched all the bugs, there's a huge one (ie. remote root exploit) hiding in there for a while.

--> "The vulnerability appears to be triggered only in limited circumstances, specifically when IIS is set to enable the file transfer protocol and there is a writable folder. While that suggests the majority of IIS installations aren't vulnerable, the universe of affected systems is still big enough to give the security conscious pause."

Perhaps it's time to upgrade and lockdown :)